Privacy Concerns with Shopify Apps I Think About

By Chris Mullen, February 9, 2020

Data Privacy

I do have privacy concerns with Shopify apps. It always seems that large enterprises and companies tout how vital privacy is yet don’t follow up with their actions. Some of us deem privacy essential to life and dangerous to give up. In contrast, others are more accepting of a new world of sharing everything. Shopify is a very secure solution for e-commerce, and I do believe the public company takes privacy seriously. But I also think they are allowing app developers too much access to a storeowner’s customer information.

Now, we are not talking about payment data. We are talking about personal data related to names, addresses, phone numbers, purchase histories, IP addresses, etc.

Review for yourself what we would need to agree to if we want to add the Google Shopping app to our store.

Privacy Concerns with Shopify Apps: List of Permissions.

In this first example, “Manage Products,” we see Google Shopping requests a storeowner’s data such as Shopify account, email addresses, phone numbers, and store locations. This seems understandable for ensuring a reliable shopping experience on the platform.

The “Manage Products” access seems fine. Google Shopping also needs data concerning your products and collections. Again, this is another set of data that appears essential since you want your products on Google Shopping.

This next line item, “View Orders,” is where I become annoyed. Privacy concerns with Shopify Apps are very real. Google Shopping requests access to customer names, customer email addresses, phone numbers, physical addresses, geolocations, IP addresses, and browser user agents. For me, this is crossing a line. A Shopify store owner using the Google Shopping app is required to give up all customer data to Google (or Alphabet). In my opinion, this is a violation of trust between a Shopify store owner and her customers. This red flag is the primary reason our print company does not implement the Google Shopping app.

Privacy Concerns with Shopify Apps: A second list of permissions a Shopify app requires

This second wave of access notes seems a little less problematic until I review a little closer. “Managing Marketing,” “Manage Store Analytics,” “View your Online Store,” and “Manage Other Data” seem like commonly accessible areas that any application by Google would need. I am mostly concerned with the vague “payment gateways” statement. 

Supposedly, if you ever remove the app from your store, Shopify will request the app company to delete all data from their records.

To erase your customers' personal information from Google Shopping, remove the app. After 48 hours, a request will be sent to Google Shopping to erase all data.

Does anyone actually believe this? There is no way Google deletes all records and data they acquire.

Guess what? This data sharing is not an exception to the rule. Many of the thousands of apps available in the Shopify app store require the same permissions. A store owner must be careful about balancing privacy and functionality. For instance, we implement an app called “CM Commerce Email Marketing,” which requires access to most of our customer data. If we want to email customers follow-ups, marketing emails, and surveys, we must play ball. We try not to “play ball” all the time and remain cautious about the apps we download. Being fair, we are guilty of using the “Facebook Marketing” app, which might be the one app that is worse than using a Google app.

The point is this: Almost all storeowners give these app companies access to a wide range of customer data. Customers probably do not fully recognize this is occurring. When someone shops on our website, they have no idea that “CM Commerce Email Marketing” or “Facebook” or “Google” is granted permission to store all of their personal data from the site as well.

What choice does Shopify have? If a store owner wants to add functionality to their website by using an app, certain information must be shared. An email marketing app cannot work if there is no access to email addresses. We can only hope that Shopify is strict with developer policies.

What’s the point? I don’t really know. When we considered downloading the Google Shopping app, the required permissions surprised me. I rejected installing the app and want to let off some steam about it.

I can’t be mad at Shopify. The e-commerce giant is pretty amazing. Years ago, we moved to Shopify from a custom-built e-commerce platform mostly for security and privacy reasons. To be fair, they are probably more strict than the other e-commerce solutions out there. I can’t be mad at third party apps since they improve the Shopify experience. The only solution I can think of is to make sure we are critical of any app we install to make sure we are protecting consumers the best we can.